Re: [PATCH v2 11/11] binman: etype: Add xilinx_fsbl_auth etype
Hi Lukas,
On Thu, 6 Jul 2023 at 09:38, wrote:
>
> From: Lukas Funke
>
> This adds a new etype 'xilinx_fsbl_auth'. Using this etype it is possible
> to created an authenticated SPL (FSBL in Xilinx terms) for ZynqMP boards.
>
> The etype uses Xilinx Bootgen tools in order to transform the SPL into
> a bootable image and sign the image with a given primary and seconrady
> public key. For more information to signing the FSBL please refer to the
> Xilinx Bootgen documentation.
>
> Here is an example of the etype in use:
>
> spl {
> filename = "boot.signed.bin";
>
> xilinx_fsbl_auth {
> psk-filename = "psk0.pem";
> ssk-filename = "ssk0.pem";
> auth-params = "ppk_select=0", "spk_id=0x";
>
> u_boot_spl_nodtb {
> };
> u_boot_spl_dtb {
> };
> };
> };
>
> For this to work the hash of the primary public key has to be fused
> into the ZynqMP device and authentication (RSA_EN) has to be set.
>
> For testing purposes: if ppk hash check should be skipped one can add
> the property 'fsbl_config = "bh_auth_enable";' to the etype. However,
> this should only be used for testing(!).
>
> Signed-off-by: Lukas Funke
>
> ---
>
> Changes in v2:
> - Add 'keysrc-enc' property to pass down to Bootgen
> - Improved documentation
> - Use predictable output names for intermediated results
>
> tools/binman/entries.rst | 53 ++
> tools/binman/etype/xilinx_fsbl_auth.py | 213 +
> 2 files changed, 266 insertions(+)
> create mode 100644 tools/binman/etype/xilinx_fsbl_auth.py
>
> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> index c3c5bda881..98ec3c82a5 100644
> --- a/tools/binman/entries.rst
> +++ b/tools/binman/entries.rst
> @@ -2462,3 +2462,56 @@ may be used instead.
>
>
>
> +.. _etype_xilinx_fsbl_auth:
> +
> +Entry: xilinx-fsbl-auth: Authenticated SPL for booting Xilinx ZynqMP devices
> +
> +
> +Properties / Entry arguments:
> +- auth-params: (Optional) Authentication parameters passed to bootgen
> +- fsbl-config: (Optional) FSBL parameters passed to bootgen
> +- keysrc-enc: (Optional) Key source when using decryption engine
> +- pmufw-filename: Filename of PMU firmware. Default: pmu-firmware.elf
> +- psk-filename: Filename of primary public key
> +- ssk-filename: Filename of secondary public key
> +
> +The following example builds an authenticated boot image. The fuses of
> +the primary public key (ppk) should be fused together with the RSA_EN flag.
> +
> +Example node::
> +
> +spl {
> +filename = "boot.signed.bin";
> +
> +xilinx-fsbl-auth {
> +psk-filename = "psk0.pem";
> +ssk-filename = "ssk0.pem";
> +auth-params = "ppk_select=0", "spk_id=0x";
> +
> +u-boot-spl-nodtb {
> +};
> +u-boot-spl-pubkey-dtb {
> +algo = "sha384,rsa4096";
> +required = "conf";
> +key-name = "dev";
> +};
> +};
> +};
> +
> +For testing purposes, e.g. if no RSA_EN should be fused, one could add
> +the "bh_auth_enable" flag in the fsbl-config field. This will skip the
> +verification of the ppk fuses and boot the image, even if ppk hash is
> +invalid.
> +
> +Example node::
> +
> +xilinx-fsbl-auth {
> +psk-filename = "psk0.pem";
> +ssk-filename = "ssk0.pem";
> +...
> +fsbl-config = "bh_auth_enable";
> +...
> +};
> +
> +
> +
> diff --git a/tools/binman/etype/xilinx_fsbl_auth.py
> b/tools/binman/etype/xilinx_fsbl_auth.py
> new file mode 100644
> index 00..72794ad2bc
> --- /dev/null
> +++ b/tools/binman/etype/xilinx_fsbl_auth.py
> @@ -0,0 +1,213 @@
> +# SPDX-License-Identifier: GPL-2.0+
> +# Copyright (c) 2023 Weidmueller GmbH
> +# Written by Lukas Funke
> +#
> +# Entry-type module for signed ZynqMP boot images (boot.bin)
> +#
> +
> +import tempfile
> +
> +from collections import OrderedDict
> +
> +from binman import elf
> +from binman.entry import Entry
> +
> +from dtoc import fdt_util
> +
> +from u_boot_pylib import tools
> +from u_boot_pylib import command
> +
> +# pylint: disable=C0103
> +class Entry_xilinx_fsbl_auth(Entry):
> +"""Authenticated SPL for booting Xilinx ZynqMP devices
> +
> +Properties / Entry arguments:
> +- auth-params: (Optional) Authentication parameters passed to bootgen
> +- fsbl-config: (Optional) FSBL parameters passed to bootgen
> +- keysrc-enc: (Optional) Key source when using decryption engine
> +- pmufw-filename: Filename of PMU firmware. Default: pmu-firmware.elf
> +- psk-filename: Filename of primary public key
> +- ssk-filename: Filename of secondary public key
Can you link to some docs that explains what all of these really are,
e.g. format of files.
> +
> +The
[PATCH v2 11/11] binman: etype: Add xilinx_fsbl_auth etype
From: Lukas Funke
This adds a new etype 'xilinx_fsbl_auth'. Using this etype it is possible
to created an authenticated SPL (FSBL in Xilinx terms) for ZynqMP boards.
The etype uses Xilinx Bootgen tools in order to transform the SPL into
a bootable image and sign the image with a given primary and seconrady
public key. For more information to signing the FSBL please refer to the
Xilinx Bootgen documentation.
Here is an example of the etype in use:
spl {
filename = "boot.signed.bin";
xilinx_fsbl_auth {
psk-filename = "psk0.pem";
ssk-filename = "ssk0.pem";
auth-params = "ppk_select=0", "spk_id=0x";
u_boot_spl_nodtb {
};
u_boot_spl_dtb {
};
};
};
For this to work the hash of the primary public key has to be fused
into the ZynqMP device and authentication (RSA_EN) has to be set.
For testing purposes: if ppk hash check should be skipped one can add
the property 'fsbl_config = "bh_auth_enable";' to the etype. However,
this should only be used for testing(!).
Signed-off-by: Lukas Funke
---
Changes in v2:
- Add 'keysrc-enc' property to pass down to Bootgen
- Improved documentation
- Use predictable output names for intermediated results
tools/binman/entries.rst | 53 ++
tools/binman/etype/xilinx_fsbl_auth.py | 213 +
2 files changed, 266 insertions(+)
create mode 100644 tools/binman/etype/xilinx_fsbl_auth.py
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index c3c5bda881..98ec3c82a5 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -2462,3 +2462,56 @@ may be used instead.
+.. _etype_xilinx_fsbl_auth:
+
+Entry: xilinx-fsbl-auth: Authenticated SPL for booting Xilinx ZynqMP devices
+
+
+Properties / Entry arguments:
+- auth-params: (Optional) Authentication parameters passed to bootgen
+- fsbl-config: (Optional) FSBL parameters passed to bootgen
+- keysrc-enc: (Optional) Key source when using decryption engine
+- pmufw-filename: Filename of PMU firmware. Default: pmu-firmware.elf
+- psk-filename: Filename of primary public key
+- ssk-filename: Filename of secondary public key
+
+The following example builds an authenticated boot image. The fuses of
+the primary public key (ppk) should be fused together with the RSA_EN flag.
+
+Example node::
+
+spl {
+filename = "boot.signed.bin";
+
+xilinx-fsbl-auth {
+psk-filename = "psk0.pem";
+ssk-filename = "ssk0.pem";
+auth-params = "ppk_select=0", "spk_id=0x";
+
+u-boot-spl-nodtb {
+};
+u-boot-spl-pubkey-dtb {
+algo = "sha384,rsa4096";
+required = "conf";
+key-name = "dev";
+};
+};
+};
+
+For testing purposes, e.g. if no RSA_EN should be fused, one could add
+the "bh_auth_enable" flag in the fsbl-config field. This will skip the
+verification of the ppk fuses and boot the image, even if ppk hash is
+invalid.
+
+Example node::
+
+xilinx-fsbl-auth {
+psk-filename = "psk0.pem";
+ssk-filename = "ssk0.pem";
+...
+fsbl-config = "bh_auth_enable";
+...
+};
+
+
+
diff --git a/tools/binman/etype/xilinx_fsbl_auth.py
b/tools/binman/etype/xilinx_fsbl_auth.py
new file mode 100644
index 00..72794ad2bc
--- /dev/null
+++ b/tools/binman/etype/xilinx_fsbl_auth.py
@@ -0,0 +1,213 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2023 Weidmueller GmbH
+# Written by Lukas Funke
+#
+# Entry-type module for signed ZynqMP boot images (boot.bin)
+#
+
+import tempfile
+
+from collections import OrderedDict
+
+from binman import elf
+from binman.entry import Entry
+
+from dtoc import fdt_util
+
+from u_boot_pylib import tools
+from u_boot_pylib import command
+
+# pylint: disable=C0103
+class Entry_xilinx_fsbl_auth(Entry):
+"""Authenticated SPL for booting Xilinx ZynqMP devices
+
+Properties / Entry arguments:
+- auth-params: (Optional) Authentication parameters passed to bootgen
+- fsbl-config: (Optional) FSBL parameters passed to bootgen
+- keysrc-enc: (Optional) Key source when using decryption engine
+- pmufw-filename: Filename of PMU firmware. Default: pmu-firmware.elf
+- psk-filename: Filename of primary public key
+- ssk-filename: Filename of secondary public key
+
+The following example builds an authenticated boot image. The fuses of
+the primary public key (ppk) should be fused together with the RSA_EN flag.
+
+Example node::
+
+spl {
+filename = "boot.signed.bin";
+
+xilinx-fsbl-auth {
+psk-filename = "psk0.pem";
+ssk-filename = "ssk0.pem";
+auth-params = "ppk_select=0", "spk_id=0x";
+
